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2002-09-14 / 01:00 VIRUS STRIKE 


It took the F-Secure virus lab four hours to come up with 
a disinfectant for the Slapper worm. Future super viruses 


may only allow for a response time of 15 seconds. 
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Friday. “For some reason, worms usually appear on a 
Friday,” says Mikko Hypponen, Antivirus Research Manager 


at F-Secure. 


It seems to be a rule of thumb for virus authors to 


release self-replicating server-to-server worms just when 


most virus specialists and corporate IT staff are heading 


home for the weekend, while viruses propagated through e- 


mail are released at the beginning of the week to 


maximize their effect, clogging up e-mail systems for 


days on end. 


The two most significant virus epidemics of the past 
year, the Slapper worm and the Bugbear e-mail virus, were 


textbook cases in this respect. Slapper was released on 


the night of Saturday, September 14, 2002, while Bugbear 
appeared on Monday, September 31, 2002, when most virus 


specialists were on their way home from a major 


professional seminar in the field in New Orleans. 


The tactics of virus specialists rely on anticipation and 


non-disclosure. Macro viruses had been discussed in 
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limited circles for some years before the first virus 


author came up with the idea in 1995. 


Anticipation is combined with readiness. Of the eight 


virus researchers employed by F-Secure, three are on call 


next to a phone and a computer at all times. If something 


happens during the night, the US office wakes them up. 


When an epidemic starts, everything comes down to 


response time. The clock starts ticking at the moment the 


company receives a sample of a new virus and stops when 


an update to disinfect that virus is published. Customer 
agreements stipulate a maximum response time of 12 hours. 
Hypponen’s team clocks in at an average of two and a half 


hours. 


Process. “How does an antivirus lab work?” Hyppdonen 


repeats the question. “It’s not something we usually talk 
about. People in the field rarely publicize their 


processes.” 


He opens the locked door to the antivirus lab on the 


fourth floor. No other journalist has been in here before 


except for a reporter from Focus magazine in Germany. 


Hypponen, 33, joined the company 12 years ago when it was 


0 


still “very much a student project Today, the company 


employs over 300 people, and the three-tier alert 


classification of the antivirus lab is chillingly 


reminiscent of the DefCon classification of preparedness 


for nuclear war in American war films. 


Inside, no fog or cobwebs can be seen, nor eerily lit 


screens. The room is brightly lit and empty. 
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Long rows of computers are lined up against two walls. 


One set is for testing antivirus database updates to be 


sent to customers. The other set can be used to simulate 


a real corporate network to test its strength. 


The computer used to publish database updates for 


customers is in a sealed cabinet. The update keys are 


kept in a safe. None of the other computers is connected 


to the Internet. 


Fighting viruses is a game of trust. The strict 


regulations stipulate that no CD-ROMs or other storage 


media may be removed from the room. 


On the day before the interview, the system of Kaspersky 
Labs in Moscow was invaded. A cracker humiliated the 
company by sending a virus alert in the company’s name to 
its customers. The alert itself contained the virus in 


question. 


Hypponen admits that this is one of the most terrible 
things that can happen to a data security company. 


“Fortunately, they had already released an update which 


disinfected that particular worm, so the customers’ 


computers weren’t really at risk.” 


The eight virus specialists at F-Secure each have their 
own speciality, such as Windows binaries, Linux, macros, 


scripts or mobile terminal devices. 


“I’m in charge of the lab, and Katrin Tocheva, a 
Bulgarian who has been with us for five years, is the 


team manager. She’s responsible for publishing updates. 


Alexey Podrezov is a former McAfee employee recruited 


four years ago. He’s in charge of the Windows side. 


Gergely Erdélyi is a Linux guru from Hungary who joined 
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two and a half years ago. He was a major player in the 
Slapper case. Ero Carrera from Spain is a junior virus 


Ww 


specialist whose strength is also Linux,” Hyppdnen 


describes his team members. 


“We only do research, publish updates and issue alerts. 
The other 310 people in the company manage everything 


else.” 


The lab’s e-mail boxes show that the specialists receive 


messages, queries and samples at the rate of a few every 


hour from all over the world. Every sample must be 


investigated. 


“Most virus samples come from the field, either from our 


paying customers or people who use the freeware version 


of our software. Often it’s these enlightened home users 
who first encounter new viruses, and because of that 
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they’ re very important to us,” Hyppdénen says. “The rest 
of the samples come from other virus labs through a 


sample exchange programme.” 


Once a virus sample has been received, it is analysed to 


find a unique segment of code, typically its replication 
routine. “This means finding a bit of code that you’d 


never find in a clean copy of any legitimate software. 


Then we devise an identification routine, test it and 


release it to the world,” Hyppdénen says. 


Each update is delivered to F-Secure’s own customers and 


to ISPs who use F-Secure to provide data security 


services for their customers. 


Friends and enemies. When the talk turns to night-time 


operations, 24-year-old virus specialist Gergely Erdélyi 


glances at his colleague Ero Carrera and quips that they 
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have no life. Both are wearing bright red F-Secure T- 


shirts. 


“Being ready all the time is part of the job. It’s like 


being a policeman or a doctor.” 


Response time is a merciless indicator. 


“T began working with viruses six years ago. At that 


time, it could take months or even a year for a virus to 


become widespread. Now it’s a matter of days or even of 


minutes. A crisis is like running through a dark forest 


without knowing what’s there. A virus may be 


excruciatingly difficult to analyse, but it has to be 
done. The reward is a feeling of a job well done,” 


Erdélyi explains. 


It is easy to understand that young men enjoy challenges. 


But Erdélyi does not say that viruses are the best part 


of his job. 


“You couldn’t really say that,” he grins. “But it’s an 


adrenaline rush, I have to say. The critical thing is 


that you have to stand the pressure.” 


Hypponen likes to talk about his lab’s response times. 


For instance, in the case of the Goner worm, F-Secure 


beat the response time of its next fastest competitor, 


Trend Micro, by half an hour. Are response times an 


important criterion for customers? 


“T hope so. On the other hand, rapid response is the 
default. When we do a good job, no one comes to thank us 


especially. But if it took us a week to release an 


update, we’d get nasty feedback that would be reflected 
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in the company’s image,” Hyppdénen replies. 
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Although competition between data security companies is 


tough, virus specialists seem to cooperate closely. 


“Companies are bitter rivals in marketing and sales, but 


there is solidarity between specialists,” Hypponen 


agrees. 


“It’s in the users’ interest. In the 1980s, there were 


certain unhealthy phenomena such as someone publishing a 


notification on a new version of the Jerusalem virus and 


then sitting on the sample so that no one else could 


analyse Jerusalem II because no samples were available.” 


Today, sample exchange between data security companies is 


standard practice. For instance, F-Secure received its 
sample of the Bugbear worm from Symantec in Australia. 
Collegial cooperation even extends beyond sample 


exchange. 


“It’s about personal relations. If Jimmy Kuo from McAfee 
rings and asks for advice on how to decode a sample, then 


of course we’ll help him. I’ve known him for years, and I 


know that he’d help us too — as indeed he has,” Hyppodnen 


says. “Sure, he works for a competitor, but so what?” 


Virus specialists are into networking for the simple 


reason that there is very little brain capacity in the 


field. Hyppdénen estimates that there are fewer than 100 


top specialists in the world, and antivirus research is 


not taught anywhere. 


“Everyone in the field is more or less self-educated 


through finding out things for himself.” 


So virus specialists are self-made men — just like virus 


authors? But is the latter group growing more quickly? 
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“Unfortunately, yes. But we can’t go hiring them. You 
don’t recruit the enemy; that’s been company policy from 


the very beginning,” Hyppdénen says categorically. 


Specialists are reluctant to discuss virus authors in any 
detail. Gergely Erdélyi says he rarely considers what 


makes them tick. 


Nevertheless, an author leaves his mark on his work. “The 


code conveys a hint of the author’s personality, or at 


least of his coding skills. You can tell whether the cod 


is well or poorly written,” Erdélyi says. 

When data security experts discuss virus authors, a 
certain amount of esteem can be detected. That seems 
curious. 


Hypponen admits to thinking about this. 


“Tt’s about the respect of one technical craftsman for 


another. For example, the virus author known as Dark 


Avenger was a highly intelligent and skilled code-writer 


whose every virus did something new,” Hyppdénen says. 


“He’s been gone for a long time now. I think his last 


virus appeared in 1993.” 


No one ever found out who Dark Avenger was, but another 
technical wizard, the author of the SMEG family of 


polymorphic viruses, ended up in prison for his efforts. 


An impoverished Bulgarian nerd writing brilliant virus 


code may command some sort of respect among the antivirus 


community, but a case like Nimda earns nothing but scorn 


from Hypponen, even though the virus was skilfully coded. 
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“Tt very quickly projected the impression that we were no 


longer talking about amateurs. It was written by a 
dedicated group with a motive and an agenda. Naturally 


such a group can write good code,” Hyppdénen fumes. 


Super worm. 2001 was the year of the worm. Nimda infected 


2.2 million computers in one day, according to Computer 


Economics, and EUR 535 million was spent in repairing the 
damage. The most destructive worm of all was Code Red, 


which caused damage worth EUR 2.6 billion according to 


one estimate. 


This, however, was only a prelude. The computer world is 
waiting in trepidation for the appearance of ‘flash’ 


worms. 


The term ‘flash’ refers to the rate at which such worms 


spread. 


“The attack network generated by Slapper was a good 


idea,” says Hyppénen. “Code Red was programmed to attack 


the White House website on July 19, and once launched it 


was beyond the control of its author. The author of 


Slapper, by contrast, had full control of every infected 


machine all the time through an anonymous channel.” 


The distribution routine, however, was rudimentary. 


“The way an infected computer began to look for new 
victims was extremely stupid. It simply generated a 
random IP address and then checked whether that address 


had a computer, and if so whether it had the right sort 


of server, and if so whether it had the right sort of 


software with a loophole in it. If all these conditions 


were met, it could infect the server.” 
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But in 99.99% of cases there was no computer, no server 


and/or no loophole, and the worm could do no more than 


generate a new address. 


“There are a lot of addresses on the Internet some 4.2 


billion. At that rate, it would take 130 years to run 


through them all. Of course, this would be cut down 


because every now and again the worm would find a 


suitable computer that would then begin spreading the 


worm as well. But it’s slow in any case.” 


The super worm of the future will be much more 
intelligent. For example, instead of generating random 
addresses, it will carry a payload of, say, 10,000 


Suitable addresses. The author can generate a list of 


targets by using Google. As the flash worm infects 


targets, the list is distributed again and again. 


“This dramatically increases the rate at which the worm 


spreads. Instead of days, we’re talking about 15 minutes 


or 15 seconds,” Hyppdénen says. “With our current response 


time of two to three hours, we’d be simply nowhere. By 


the time we had published an update, the worm would have 


achieved everything it was designed to do and shut down.” 


Hypponen sketches the logic of the super worm on a white 


board as he speaks. All this is theory — so far. But why 
is he telling us all this? Would it not be better to keep 


it quiet? 


“T wouldn’t be telling you this if an academic researcher 


at Berkeley hadn’t published a paper on the subject six 


months ago. Which I think sucks big time,” Hyppdénen 


complains. “Traditionally, such things are not spoken of, 


because silence slows down virus development and release. 
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He’s in academia, 


say 


The 


this sort of thing out loud.” 


and he didn’t know that you just don’t 


title of the paper was entitled ‘How to Own the 


Internet in Your Spare Time’. Its bleak visions are 


backed up with theory and mathematical formulas. So the 


cat is out of the bag, and the gauntlet has been thrown 


down for all the virus au 


The fear of th 


realistic one. 


thors in the world. 


ntire Internet going down some day is a 


However, Hyppdonen is surprisingly calm 


when he discusses the super worm scenario. 


“Oh 


This theory is now being actively discussed 


author newsgroups, 


it’ll happen all right — it’s only a mat 


which are very much like 


tter of time. 


in virus 


the notorious 


home chemistry forums,” Hyppdénen says and pauses to 
think. 


“But even in the worst case scenario, 


bring down the Internet. 


power stations or crash planes.” 


this would only 


Post Mortem: The Super Virus was found on 24 


2003. 


Named Slammer, 


public interne 


than 100 


machines, air 


services. 
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t in roughly 13 minutes, 
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It wouldn’t blow up nuclear 


th of January 


it scanned all the computers in the 


ting more 


thousand database servers and crashing ATM 
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Senior virus specialist Sami Rautiainen at F-Secure reads 
his e-mail at home. He is one of the three lab employees 


on call. 


Rautiainen’s attention is drawn by a message sent to an 


e-mail list on the data security of multinational 


corporations. The message describes the strange behaviour 


of a Linux server in Romania. 

He scans for signs of a potential new worm. By 11.30, he 
has found indications on both European and American 
servers. 

He notifies team manager Katrin Tocheva, who rings 


research manager Mikko Hypponen. 


Sat: ZO02=09Si4 7 230 


Hypponen answers the phone. He is at home making Lunch. 
Linux viruses are still rare, and for this reason 


Hypponen takes up the case with Tocheva and Rautiainen 


even though he is not officially on call. 


Sat 2002-09-14 / 12.40 


They find that the F-Secure Internet servers are offline 


because the power has been shut down for maintenance 


work. The specialists use backup systems and use MSN 


Messenger and Yahoo Webmail to communicate. 


The worm seems to infect Apache web servers whose OpenSSL 


libraries have not been updated. It exploits a loophole 


for which a patch has been available for over a month. 
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Specialists at Symantec in Australia dub the virus 
‘Slapper’. The hunt is on. Computers with the right sort 
of Apache server and a non-updated OpenSSL library are 


set up as bait. 


Sat 2007-09-49 f° 1.3.00 


Frisk Software, F-Secure’s product development partner in 


Iceland, catches the first live sample of the worm and 


sends it to Finland. 


The specialists analyse the code, seeking a 


characteristic bit to use as a search term in virus 


scanning. A new antivirus database update is created. 


The worm is forming an attack network of the infected 


computers. The Internet Storm Center service carries a 


rumour that this network has already attacked an 


unspecified ISP. 


Hypponen notifies the CERT-FI unit of the Finnish 


Communications Regulatory Authority (FICORA), which 


contacts Finnish ISPs. 


Sat 2002-09-14 / 13.40 


The first analysis of the sample is written and published 
online. Often, even a 15-line bulletin is enough to help 
fight the infection even if an antivirus database update 


is not yet available. After all, in the case of Nimda it 


was enough to alert administrators to block attachment 
files named README.EXE. 
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Sat: 2O02=09=14 7 25.00 


The maintenance work is done, power is restored, and the 


virus specialists return to their principal workstations. 


Sat 2002-09-14 f° 1522.0 


‘F-Secure Radar Level 2 Alert’. Hyppdnen releases a 


bulletin on raising the level of readiness. This means 


that a potentially dangerous virus is on the loose but 


that the situation is not critical. 


Customers subscribing to the Radar service are notified 


by SMS message. 


Sat 2002-09-14 / 16.00 


Rautiainen drives to the office and begins testing the 


new update in the lab. 


Sat 2002-09-14 / 16.30 


Communication assistant Henrietta Malmari and Mikko 


Hypponen decide to issue a press release. Usually this is 


done only if the readiness is raised to Level 1. This 


exceptional decision is taken so that IT professionals 


off duty for the weekend can hear of this new potential 


threat through the media. The press release is phrased in 


cautiously concerned tones. 


Sat 2002-09-14 -/ 18.20 
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Secure’s own systems, 
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floats an unusual idea: “If 


ldn’t it be possible to break into it?” 


who is responsible for data security in F- 
the 


erates an attack network of infected comput 


ters, 


considers Linux expert Gergely Erdélyi to be the 


The young Hungarian, 


who lives in 


was planning to spend the weekend with 


his girlfriend, but his plans are changed with a call 


from his supervisor. 


Erdélyi 


with a worm in 


engineer the net 


is excited by the idea of doing something unusual 


a Linux environment. 


twork protocol of 


the worm. 
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description of 
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tiainen finishes testing the update 


Push technology transfers the packages 


Cus 


the worm is published 


tomers’ 


systems. A technical 


online. 


the description, 
th disinfection 


tine are completed. Four hours and ten minutes have 


90 minutes more than for an average Windows 


Hypponen, 


however, 
t much experience in analysing Linux worms. 
after all. 


Sat: 2ZO002=09=14 7.22200 


is satisfied. No one has all 
And it is 
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The day is done for everyon xcept Gergely Erdélyi, who 
has successfully decoded the worm’s network protocol and 


begins to code a daemon which would enable the worm’s 


attack network to be penetrated. 


Sun 2002-09-15. 7 12.00 


Hypponen is shopping at his local grocery store when a 


tired Erdélyi rings him and says that the daemon is 


functional. 


Erdélyi has managed to penetrate the worm’s attack 


network during the night, and now F-Secure is the only 


antivirus company in the world that knows the exact 


number of infected computers and their addresses. 


Initial figures show that Slapper has infected 5,800 
computers. Erdélyi and Hyppénen recall that a 20-server 


attack brought down Amazon in early 2000. 


Sun 2002-09-15 7 16.00 


The worm is avoiding the bait computer, which is swapped 
for another. The IT department reluctantly parts with its 


network game server, a Linux machine. 


Hypponen rings Risto Siilasmaa, managing director of F- 


Secure, to review the weekend’s events and to discuss the 


content of a second press releas 


The second press release, issued around 23.00, is more 


sombre in tone than the first. “A rapidly spreading new 
Linux worm gives the attacker control of infected 


computers.” 
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Mon 2002-09-16 / 10.00 


e bf£i0864c 


Data security Kauto Huopio at the CERT-FI unit at FICORA 


rings Hyppoénen and reviews the order of play in which 


information on in 


What, for instance, 


list of, say, 900 


into the wrong hands and get crammed wit 


would a data securit 


infected German serv 


fected computers may be passed forward. 
ty company do if a 


rs were to fall 


th porn? 


CERT-FI begins to contact Finnish IT administrators by 


phone. 


Mon; 2002-09-16..7° 13.00 


The number of infected computers tops 13, 


specialists have realized that they have 


dispose of the worm quickly: by entering 


servers through the same 


loophole as the 


could issue a kill command. 


O00. The virus 


the means to 


the infected 


worm used, they 


This, however, would be illegal. The company lawyer 


considers that they would be guilty of unauthorized 


server access at the very 


least. 


Instead of implementing this quick fix, 


the specialists 


begin contacting the thousands of server administrators 


involved. 


In the course of 1 


companies — Symant 


Trend Micro, 


the four leading antivirus 


McAfee and Computer 


Associates — each release a database update. 
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Mon 2002-09-16 / 16.00 


‘F-Secure Radar Upgraded to Level 1’. All scheduled in- 


house meetings are cancelled. All remaining virus 


specialists are called in. The entire staff is informed. 
Administrators in customer companies subscribing to the 


Radar service are notified by SMS message. 


Temps are hired to man the switchboard, and the tapes 
containing music played for callers on hold are replaced 


with instructions on how to disinfect the worm. Sales 


staff contact major customers and tell them what is going 


on. 


Mon; 2002-09-16..7° 18200 


The number of infected computers has increased by 5,000 


to 18,000 in five hours. 


A free version of a virus scanner for Linux is published 


online. 


Ero Carrera, acting on instructions from Kauto Huopio, 


sends the CERT authorities in 13 countries a list of the 


infected servers. 
At 21.00, a mass e-mail is sent to the administrators of 


7,000 servers, with instructions on how to disinfect the 


worm. 2,000 of them are not reached. 


Tue 2002-09-17 / 09.00 
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Users are cleaning up their computers, and the spreading 
of the worm is halted. The number of infections remains 
below the 20,000 mark. 


A graphic updated every hour is published in the evening, 


showing the number of servers still infected. There are 


about 2,000 of them, roughly equal to the number of 


administrators who were not reached. 


Wed 2002-09-18 / 04.00 


In the night, a private individual publishes a tool 


online for killing the worm within the servers. This has 


been discussed in antivirus news groups for a few days. 


This is exactly what the company lawyer warned the lab 


against on Monday. 


The impact is dramatic. The number of infected servers 


drops from 1,400 to about 400 within an hour. 


Wed 2002-09-18 /09.00 


The number of computers still active in the attack 


network drops below 200 and eventually to a few dozen. 


Experts begin debating how serious a threat Slapper 


actually was. 


The weak point of the worm is — surprisingly — data 


security. For example, communication between infected 


servers is not encrypted, and information on computers 


linked to the attack network can easily be retrieved. 
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Despite its ‘shortcomings’, the peer-to-peer networking 


capabilities of the worm represent a major step in virus 


evolution. 


Later, Mikko Hypponen mentions the need to set up an 


official international organization that would have the 


authority to perform defensive network actions. The 


suggestion is met with mixed emotions. 


The worm, however, is not yet dead. Its author can still 


launch denial-of-service attacks with the two dozen or so 


servers he still controls, which is plenty. 


New B and C versions of Slapper appear in subsequent 


weeks. 


